Malicious PDF — malware analysis report

Static analysis result for SHA-256 76a25326f07705f2…

MALICIOUS

PDF

66.1 KB Created: 2021-08-19 06:16:50 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 5.11.3) First seen: 2021-09-27
MD5: 71816b1975f1eab68ea1f9b3eeadec3b SHA-1: 1214adf6e6f62ab2ec87e125d150b0174f3f67ec SHA-256: 76a25326f07705f27eecca3f763a526cad5cbe62ad483bec8507b0af3e97c699
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is a common technique for executing malicious code. It also features a link farm pointing to multiple compromised WordPress sites, indicating an attempt to distribute further payloads or conduct phishing. ClamAV detection as 'Pdf.Phishing.Trojan' further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9448

Heuristics 6

  • ClamAV: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2528dad23a95d95-d2528dad23a95d95-10044376-0
  • PDF link farm points to compromised-WordPress upload storage medium PDF_COMPROMISED_CMS_UPLOAD_LINK_FARM
    PDF contains multiple clickable links, across many distinct hosts, whose targets are random-slug files parked in the upload directories of vulnerable WordPress form plugins (FormCraft, Super Forms). This is the hallmark of the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains hosted on compromised sites. The PDF itself carries no exploit — the risk is the linked destinations.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dom-nenilovo.ru/wp-content/plugins/super-forms/uploads/php/files/d78e0ff47216cc56330cb4fa08360c6e/jopuwofa.pdf In PDF document text
    • http://pvsystreports.com/wp-content/plugins/super-forms/uploads/php/files/sh32o5arfim7s2sq5id4hibdq4/96472175768.pdfIn PDF document text
    • https://termokingbt.com/ckfinder/userfiles/files/fagikimuxo.pdfIn PDF document text
    • https://nobleanimalsanctuary.org/wp-content/plugins/super-forms/uploads/php/files/tmp/55241427451.pdfIn PDF document text
    • http://sgpeo.pl/users//file/kubejazimesojananodugek.pdfIn PDF document text
    • https://adiwirawanbali.com/wp-content/plugins/super-forms/uploads/php/files/17a0a9b3165436390cd029befe2d91fa/50522472672.pdfIn PDF document text
    • http://taketty.xyz/js/ckfinder/userfiles/files/86673910913.pdfIn PDF document text
    • http://az4group.com.br/wp-content/plugins/formcraft/file-upload/server/content/files/16084b52ea6724---57350088844.pdfIn PDF document text
    • https://elesud.it/img_pagine/file/82378092304.pdfIn PDF document text
    • http://kirks-pool.com/wp-content/plugins/formcraft/file-upload/server/content/files/16076e57786ea9---84430099177.pdfIn PDF document text
    • http://plusbateria.com/wp-content/plugins/formcraft/file-upload/server/content/files/1607fc82e85c64---98494696728.pdfIn PDF document text
    • http://hochrainer-elsner.at/upload/files/xapelezonirilolunodozenu.pdfIn PDF document text
    • http://reutlinger.pl/userfiles/file/nariduvalosexazisafi.pdfIn PDF document text
    • http://kccmaul.com/files/files/masibuzukugifalotukavesa.pdfIn PDF document text
    • https://malashealthcare.com/userfiles/files/vavivonejexebefuviwu.pdfIn PDF document text
    • https://iamtimeshare.com/userfiles/file/14892274944.pdfIn PDF document text
    • http://bochosushi.com/wp-content/plugins/formcraft/file-upload/server/content/files/16096f1923d935---83707636915.pdfIn PDF document text
    • https://medok18.ru/wp-content/plugins/super-forms/uploads/php/files/b10000a1d7cc7e058a7befe88533e401/jorovuku.pdfIn PDF document text
    • http://howsonfamilyreunion.com/clients/5/57/57b8fe7d350e782a16e6afc8bdcd6467/File/talakanikidiwivapumubat.pdfIn PDF document text
    • http://jpind.pl/userfiles/file/nalela.pdfIn PDF document text
    • http://tort-art.ru/userfiles/file/70063016347.pdfIn PDF document text
    • https://spiuruguay.com/ckfinder/userfiles/files/3606210969.pdfIn PDF document text
    • http://dabaizhongxue.com/upload_fck/file/2021-5-16/20210516152550592542.pdfIn PDF document text
    • https://feedproxy.google.com/~r/1eyvgo/aqOO/~3/cv9VXjIrmdE/uplcv?utm_term=vadem%C3%A9cum+acad%C3%A9mico+de+medicamentos+pdf+gratisPDF link annotation
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d29b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD29B 16792 bytes
SHA-256: 9d2294e344127da9ddc2b77d68b1576b6b78373885bc9da2859f180a98f2c1e1
font_01_sfnt_off0000eab2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB2 11140 bytes
SHA-256: dd82d66f11123d7345b10073c7d9d5811288ce68c5d63b709f449ec0672eaf9b